‘badBIOS:’ Mysterious Malware Forces People to Erase Complete Systems

October 31, 2013 Updated: July 18, 2015

“badBIOS,” a mysterious malware, has infected the computer of a top security consultant and researcher and it puzzled him.

The malware appeared on the MacBook Air owned by Dragos Ruiu about three years ago. 

Ruiu was finding that despite whatever actions he took, his computer would modify its own settings and delete data without explanation or prompting.

The computer would also transmit data, or “jump,” to other computers, even if the computers weren’t connected to power cords or Ethernet cables, and even though the computers had their Wi-Fi and Bluetooth cards removed.

“We were like, ‘Okay, we’re totally owned,'” Ruiu told Ars Technica. “‘We have to erase all our systems and start from scratch,’ which we did. It was a very painful exercise. I’ve been suspicious of stuff around here ever since.”

But it didn’t stop there.

The infections have continued, even after the systems were wiped clean. 

Besides being able to “jump airgaps,” the malware appears to have self-healing capabilities. 

“We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD,” Ruiu said. “At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we’re using to attack it? This is an air-gapped machine and all of the sudden the search function in the registry editor stopped working when we were using it to search for their keys.”

Ruiu has been documenting his work battling the malware on Twitter, Facebook, and Google+.

He recently said via Google+ that he found a new development.


Several days later he posted some other thoughts.


Basically, his latest research points to the computers can contaminate USB devices, and vice versa. But he’s still not sure if the initial infection was from a USB device. 

See more posts by him below.

 *Photos via Shutterstock

Follow Zachary on Twitter: @zackstieber